For many in the privacy profession, 2018 is arguably the year of the EU General Data Protection Regulation. However, thanks in part to the Facebook-Cambridge Analytica data sharing opprobrium, there has been renewed interested in domestic U.S. privacy law by the general public. While the impact of the Cambridge Analytica revelations is bound to create vicissitude regarding how user data is handled, there is another case I believe could have an extensive impact on the privacy tools companies will be able to employ to protect and govern user data.
The case between hiQ Labs and the LinkedIn Corporation is not as sexy as the collection and use of user data by Cambridge Analytica to allegedly influence democratic elections, nonetheless, it stands to impact how we interact with technology and each other.
LinkedIn’s complaint states that hiQ Labs scrapes information from the public profiles of LinkedIn users and uses that scraped information to create enterprise-focused products that it then sells to employers (e.g. a product which can analyze flight risk across an entire company and even of individual employees). In May of 2017, LinkedIn sent a cease-and-desist letter to hiQ Labs, demanding that it stop scraping information from LinkedIn user profiles. LinkedIn’s letter stated that, by accessing LinkedIn’s data, hiQ Labs had violated state and federal law, including California Penal Code Section 502(c), state common law of trespass, the federal Computer Fraud and Abuse Act, and the Digital Millennium Copyright Act.
LinkedIn and hiQ Labs could not resolve the issue.
HiQ Labs filed a complaint seeking a declaration that its conduct did not violate the laws asserted by LinkedIn in the cease-and-desist letter. HiQ then moved for a temporary restraining order and preliminary injunction, emphasizing the threatened irreparable harm — it would go out of business if LinkedIn prevailed. The court held a hearing on hiQ’s request for a temporary restraining order June 29, 2017. The parties then entered into a standstill agreement pending resolution of hiQ’s motion for preliminary injunction. After the parties filed supplemental briefs, the court held a hearing on the preliminary injunction July 27. On Aug. 14, Judge Chen granted hiQ Lab’s injunction request in his written opinion. LinkedIn filed a Notice of Appeal Sept. 5. Several third parties submitted amicus briefs, including the Electronic Privacy Information Center. The last update on the case was that the 9th Circuit heard oral arguments on March 15, 2018.
Broadly, the argument between hiQ and LinkedIn involves important questions about the DMCA, the CFAA, and to some degree, the First Amendment and what is public information. While these issues will be front and center in the final decision, one issue I believe the court must ensure that it addresses is how the decision will impact the privacy practices of companies and the users whose data have been scraped.
The primary privacy concern is that hiQ has no responsibility to the owners of the data that they scrape. If a LinkedIn user was to close her account, LinkedIn is bound by its own privacy policy on how it will handle that data after the closure of the account. That same user will be able to bring a claim against LinkedIn in the event that LinkedIn does not follow through with its obligations as laid out in its privacy policy.
However, when that same user closes her LinkedIn account, hiQ’s control and use of that data is not bound by any preexisting agreement between the user and hiQ. Additionally, if that user was able to determine that her data had been scraped by hiQ, even if the user were to request that hiQ discontinue use of the data, hiQ is not legally obligated to comply with such a request because they are not bound by any agreement. Additionally, hiQ will claim as they have in their case with LinkedIn, that the information was public and therefore they can do as they please with it.
Unfettered access to user data should be a concern for any user of a platform like LinkedIn. If our data can be scraped, against the will of the service provider, and that data can then be used for whatever purpose the scraper determines, the potentially damaging effects for users of services like LinkedIn could likewise be endless.
In the wake of the Cambridge Analytica scandal, it remains to be seen if meaningful privacy legislation will be presented. Nonetheless, issues such as the one presented in hiQ v. LinkedIn, suggest that it is time for user-centric privacy legislation to be in place. In many ways, the requirements of the GDPR are already making an impact, but the issue here is unique in that the service provider is being forced to allow the scraping.
I believe that a codified right over personal data in the U.S. would be ideal solution.
However, at a minimum, there should be a requirement for a contract to exist between the scraper and the service provider being scraped. A requirement such as this could prompt service providers to ensure that proper consent and notice have been provided to their users, as well as provide service providers with grounds upon which they ensure that the data of individuals who do not want their data scraped can be respected. In many ways, this is how business is currently done. Yet, mandating that scraping require a contract to exist will ensure that instances like the one in hiQ v. LinkedIn will be eliminated, thereby protecting the privacy of users.
I am not in any way trying to profess to have knowledge of all of the issues that could arise from such a requirement. I believe that it is crucial that companies like LinkedIn, Facebook and Google to name a few, are involved in the drafting of user-centric privacy legislation.
I will disclose that I am biased towards LinkedIn in this matter. Not only did I spend a period as a privacy law clerk with the company, but I am a huge believer in LinkedIn and the empowering nature of the service.
Likewise, I am a huge believer in privacy controls and rules because I believe that they help to ensure that services like LinkedIn continue to be empowering. While ultimately this case does not turn on this privacy issue, I think that there are major privacy implications that could arise depending on the outcome of this case that remains to be seen.
Ironically, the implications of the Facebook-Cambridge Analytica scandal might impact this case as well. Even as the GDPR quickly approaches its enforcement date and the Facebook issue continues to dominate the news cycle, I, for one, will be closely watching the results of LinkedIn v. hiQ. I hope that this piece has put the case on your radar if it was not already.
photo credit: HugoEscalpelo Iván Abreu en Centro de Cultura Digital via photopin